Privacy Policy

1. Introduction

Shield LLM ("we", "us", "our") respects your privacy. This Privacy Policy explains how we collect, use, store, and protect your personal data when you use our platform and services.

2. Data We Collect

We collect the following types of data:

• Account information: Name, email address, and profile picture (when using Google OAuth).
• Scan data: Target URLs, scan results, vulnerability reports, and security scores generated during scans.
• Usage data: Pages visited, features used, scan frequency, and session duration.
• Payment data: Processed by Stripe. We do not store credit card numbers. We retain your Stripe customer ID and subscription status.
• API keys: Stored as SHA-256 hashes. Plaintext keys are never retained after generation.

3. How We Use Your Data

We use your data to:

• Provide and improve the Service.
• Process payments and manage subscriptions.
• Generate security reports and analytics for your dashboard.
• Detect abuse and enforce usage limits (rate limiting, scan quotas).
• Communicate important updates about the Service.

4. Legal Basis (GDPR)

We process your data based on:

• Contract: To provide the Service you signed up for.
• Legitimate interest: To improve the Service, prevent abuse, and ensure security.
• Consent: For optional marketing communications (you can opt out at any time).

5. Third-Party Services

We share data with the following third-party providers:

• Stripe — Payment processing. Subject to Stripe's Privacy Policy.
• Google — OAuth authentication (if you sign in with Google). Subject to Google's Privacy Policy.
• LLM providers (Mistral, OpenAI) — Attack prompts and chatbot responses are sent to LLM providers for security evaluation. No personally identifiable information is included in these requests.

6. Cookies

We use the following cookies:

• Session cookies: Essential for authentication. Expire when your session ends.
• Preference cookies: Store your theme choice. Stored locally in your browser.

We do not use advertising or tracking cookies.

7. Data Retention

We retain your account data for as long as your account is active. Scan reports are retained for the lifetime of your account. If you delete your account, all associated data (scans, vulnerabilities, custom tests, API keys) is permanently deleted within 30 days.

8. Your Rights (GDPR)

If you are located in the European Economic Area, you have the right to:

• Access your personal data.
• Rectify inaccurate data.
• Delete your account and all associated data.
• Export your data in a portable format (PDF reports).
• Object to processing based on legitimate interest.

To exercise these rights, contact us at privacy@shield-llm.app.

9. Security

We implement industry-standard security measures to protect your data, including encrypted connections (HTTPS), hashed API keys (SHA-256), session-based authentication, rate limiting, and CORS validation. However, no method of transmission or storage is 100% secure.

10. Children

The Service is not intended for users under the age of 16. We do not knowingly collect personal data from children.

11. Changes to This Policy

We may update this Privacy Policy from time to time. Material changes will be communicated via email or through the Service. The "Last updated" date at the top reflects the latest revision.

12. Contact

For privacy-related questions or requests, contact our Data Protection Officer at privacy@shield-llm.app.